Darknet Traffic Analysis by Focusing on The Stability of Traffic
Article Sidebar
Main Article Content
Abstract
Darknet is reachable but unused IP address space. Since legitimate hosts will generally have no reason to send packets to darknet, most of the packets seen in darknet are results of attacks, experiments or errors. Thus, darknet traffic analysis is a good candidate to understand the activities of attackers, worms, and infected hosts in the Internet. In this paper, we analyse darknet traffic by focusing on traffic stability. The concept of traffic stability is that the relative volume of dominant traffic components do not change drastically. We hypothesize that though the volume of darknet traffic is orders of magnitude smaller than Internet traffic, the stability principle holds and that the instabilities in traffic indicate the occurrence of some events in darknet. We categorize packets in darknet based on values of the fields in the packet header and calculate the volume of dominant components. We analysed two datasets of darknet traffic and found several significant instabilities. We analysed the causes of the instabilities and characteristics of the corresponding packet categories. Some of the detected events could be correlated with known and recorded network events. The analysis results show that traffic stability is a useful concept even for darknet traffic analysis.
Article Details
Article Accepting Policy
The editorial board of Thai-Nichi Institute of Technology is pleased to receive articles from lecturers and experts in the fields of business administration, languages, engineering and technology written in Thai or English. The academic work submitted for publication must not be published in any other publication before and must not be under consideration of other journal submissions. Therefore, those interested in participating in the dissemination of work and knowledge can submit their article to the editorial board for further submission to the screening committee to consider publishing in the journal. The articles that can be published include solely research articles. Interested persons can prepare their articles by reviewing recommendations for article authors.
Copyright infringement is solely the responsibility of the author(s) of the article. Articles that have been published must be screened and reviewed for quality from qualified experts approved by the editorial board.
The text that appears within each article published in this research journal is a personal opinion of each author, nothing related to Thai-Nichi Institute of Technology, and other faculty members in the institution in any way. Responsibilities and accuracy for the content of each article are owned by each author. If there is any mistake, each author will be responsible for his/her own article(s).
The editorial board reserves the right not to bring any content, views or comments of articles in the Journal of Thai-Nichi Institute of Technology to publish before receiving permission from the authorized author(s) in writing. The published work is the copyright of the Journal of Thai-Nichi Institute of Technology.
References
“JPCERT/CC Incident Handing Report,” Japan Computer Emergency Response Team Coorditional Center, JPCERT-IR-2015-04, Jul.–Sep. 2015.
A. Shimoda, T. Mori, and S. Goto, “Extended Darknet: Multi-Dimensional Internet Threat Monitoring System,” IEICE Transactions on Communications, vol. E95-B, no. 6, pp. 1915–1923, 2012.
L. Miao, W. Ding, and H. Zhu, “Extracting Internet Background Radiation from raw traffic using greynet,” in 2012 18th IEEE International Conference on Networks (ICON), 2012, pp. 370–375.
“TSUBAME Info,” Japan Computer Emergency Response Team Coordination Center, 2015.
“Quarterly Report,” Japan Computer Emergency Response Team Coordination Center, 2015.
“National Research and Development Institute of Information and Communications technology, NICT Cyber security Laboratory,” 2014. [Online]. Available: https://www. nicter. jp/nw_public/scripts/index.php#nicter.
D. Inoue, M. Eto, K. Suzuki, M. Suzuki, and K. Nakao, “DAEDALUS-VIZ: Novel Real-time 3D Visualization for Darknet Monitoring-based Alert System,” in Proceedings of the Ninth International Symposium on Visualization for Cyber Security, New York, NY, USA, 2012, pp. 72–79.
“The UCSD Network Telescope,” Center for Applied Internet Data Analysis, 2015. [Online]. Available:https:// www. caida. org/projects/network_telescope/.
Z. Zhang, B. Wang, and J. Lan, “Identifying elephant Flows in internet backbone traffic with bloom filters and LR U,” Computer Communications, vol. 61, pp. 70–78, May 2015.
“Team Cymru Darknet Project,” Team Cymru, 2014. [Online]. Available: https://www.team-cymru.org/darknet.html.
D. Moore, C. Shannon, G. M. Voelker, and S. Savage, “Network Telescopes: Technical Report,” CS2004-0795, 2004.
S. Mizoguchi, Y. Fukushima, Y. Kasahara, Y. Hori, and K. Sakurai, “Darknet Monitoring on Real-Operated Networks,” in Proceedings of the 2010 International Conference on Broadband, Wireless Computing, Communication and Applications, Washington, DC, USA, 2010, pp. 278–285.
M. Bailey, E. Cooke, F. Jahanian, and A. Myrick, “Practical Dark net Measurement,” in 40th Annual Conference on Information Sciences and Systems, 2006, pp. 1496–1501.
A. Shimoda, T. Mori, and S. Goto, “Extended Darknet: Multi-Dimensional Internet Threat Monitoring System,” IEICE Transactions on Communications, vol. 95, pp. 1915–1923, 2012.
C. Rossow, “Amplification Hell: Revisiting Network Protocols for DDoS Abuse.” NDSS Symposium, 22-Feb-2014.
“JPCERT/CC Internet Threat Monitoring Report,” Japan Computer Emergency Response Team Coordination Center, JPCERT-IA-2015-01, Dec. 2014.